Configuring ACEs in named, extended ACLs

Configuring ACEs is done after using the ip access-list standard <name-str> command described.

See the section “Standard ACL structure” for filtering criteria, extended ACLs use multiple filtering criteria. This enables you to more closely define your IPv4 packet-filtering.

Syntax: (nacl context) 


<deny|permit> <ip|ip-protocol|ip-protocol-nbr>
<any|host> <SA>|SA|mask-length|SA <mask>>
<any|host> <DA>|DA|mask-length|DA <mask>>
[precedence] [tos] [log]

Appends an ACE to the end of the list of ACEs in the current ACL. In the default configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence, see Resequencing the ACEs in an ACL).

NOTE:

To insert a new ACE between two existing ACEs in an extended, named ACL, precede deny or permit with an appropriate sequence number along with the ACE keywords and variables you want. See Inserting an ACE in an existing ACL.

For a match to occur, a packet must have the source and destination addressing criteria specified in the ACE, as well as:

  • the protocol-specific criteria configured in the ACE, including any included, optional elements (described later in this section)

  • any (optional) precedence and/or ToS settings configured in the ACE 


<deny|permit>

For named ACLs, these keywords are used in the "Named ACL" (nacl) context to specify whether the ACE denies or permits a packet matching the criteria in the ACE, as described below. 


<ip|ip-protocol|ip-protocol-nbr>
Used after deny or permit to specify the packet protocol type required for a match. An extended ACL must include one of the following:
  • ip

    – any IPv4 packet.

  • ip-protocol – any one of the following IPv4 protocol names:

    • ip-in-ip

    • ipv6-in-ip

    • gre

    • esp

    • ah

    • ospf

    • pim

    • vrrp

    • sctp

    • tcp*

    • udp*

    • icmp*

    • igmp*

    *For TCP, UDP, ICMP, and IGMP, additional criteria can be specified.

  • ip-protocol-nbr – the protocol number of an IPv4 packet type, such as "8" for Exterior Gateway Protocol or 121 for Simple Message Protocol. (For a listing of IPv4 protocol numbers and their corresponding protocol names, see theIANA "Protocol Number Assignment Services" at http://www.iana.com. (Range: 0–255) 


<any|host <SA>|SA <mask>|SA/mask-length

This is the first instance of IPv4 addressing in an extended ACE. It follows the protocol specifier and defines the source address (SA) a packet must carry for a match with the ACE.

  • any Allows IPv4 packets from any SA.

  • host <SA> Specifies only packets having a single address as the SA. Use this criterion when you want to match only the IPv4 packets from a single SA.

  • SA <mask> or SA/mask-length Specifies packets received from an SA, where the SA is either a subnet or a group of addresses. The mask can be in either dotted-decimal format or CIDR format (number of significant bits).

  • SA Mask application. The mask is applied to the SA in the ACL to define which bits in a packet's SA must exactly match the SA configured in the ACL and which bits need not match.

    Example:10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any address in the range of 10.10.10.(1 - 255). Note: Specifying a group of contiguous addresses may require more than one ACE. 


<any|host <DA>|DA/mask-length|DA <mask>>

This is the second instance of IPv4 addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE.

  • any Allows routed IPv4 packets to any DA.

  • host <DA> Specifies only packets having DAas the destination address. Use this criterion when you want to match only the IPv4 packets for a single DA.

  • DA/mask-length or DA <mask> Specifies packets intended for a destination address, where the address is either a subnet or a group of addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits).

  • DA Mask application The mask is applied to the DA in the ACL to define which bits in a packet's DA must exactly match the DA configured in the ACL and which bits need not match. 


[precedence <0-7|precedence-name>]

This option can be used after the DA to cause the ACE to match packets with the specified IP precedence value. Values can be entered as the following IP precedence numbers or alphanumeric names:

0 or routine

1 “ priority

2 “ immediate

3 “ flash

4 “ flash-override

5 “ critical

6 “ internet (for internetwork control)

7 “ network (for network control)

NOTE:

The precedence criteria described in this section are applied in addition to any other selection criteria configured in the same ACE. 


[tos <tos-setting>]

This option can be used after the DA to cause the ACE to match packets with the specified Type-of-Service (ToS) setting. ToS values can be entered as the following numeric settings or, in the case of 0, 2, 4, and 8, as alphanumeric names:

0 or normal

2 “ max-reliability

4 “ max-throughput

6

8 “ minimize-delay

10

12

14

NOTE:

The ToS criteria in this section are applied in addition to any other criteria configured in the same ACE. 


[log]
This option can be used after the DA to generate an Event Log message if:

  • The action is deny. Not applicable to permit.

  • There is a match.

  • ACL logging is enabled.